FIELD OF THE INVENTION
The invention relates to a method of debiting an electronic payment means, such as an electronic payment card provided with an integrated circuit ("chip card"). In particular, though not exclusively, the invention relates to a method for protectedly debiting prepaid electronic payment cards ("prepaid cards") as these are applied, e.g., for telephone booths. In the present text, the term payment means will be used irrespective of the form or the type of the specific payment means. A payment means may therefore be formed by, e.g., a revaluable payment card (i.e. a payment card whose balance may be increased) or a non-card-shaped electronic payment means.
In recent years, electronic payment means are being applied ever more frequently, not only for paying for the use of public telephone sets, but also for many other payment purposes. Since such a payment means generally comprises a (credit) balance which represents a monetary value, it is necessary to have the exchange of data between such a payment means and a payment station (such as a telephone set designed for electronic payment or an electronic cash register) run according to a protected method (payment protocol). Here, it should be ensured, e.g., that an amount (monetary value or number of calculation units) debited to the payment means correspond to an amount (monetary value or calculation units) credited elsewhere: the amount paid by a customer should correspond to the amount to be received by a supplier. The credited amount may be stored, e.g., in a protected module present in the payment station.
Prior Art payment methods, as disclosed in e.g. European Patent Application EP 0,637,004 which is incorporated by reference in this text, comprise: a first step, in which the balance of the payment means is retrieved by the payment station; a second step, in which the balance of the payment means is lowered (debiting the payment means); and a third step, in which the balance of the payment means is retrieved again. From the difference between the balances of the first and third steps the debited amount may be determined and therewith the amount to be credited in the payment station. In order to prevent fraud here, in the first step use is made of a random number which is generated by the payment station and is transferred to the payment means. On the basis of the first random number, the payment means generates, as a first response, an authentication code which may comprise an (e.g., cryptographic) processed form of, inter alia, the random number and the balance. By using a different random number for each transaction, it is prevented that a transaction may be imitated by replay. In addition, in the third step use is made of a second random number, which is also generated by the payment station and transferred to the payment means On the basis of the second random number the payment means generates, as a second response, a second and new authentication code which may comprise a processed form of, inter alia, the second random number and the new balance. On the basis of the difference between the two transferred balances, the payment station (or a protected module of the payment station) determines by which amount the balance of the payment station should be credited.
Said known method is basically very resistant to fraud as long as a payment means communicates with one payment station (or protected module). The drawback of the known method, however, lies in the fact that the first and second authentication codes are independent. If a second or third payment station (or protected module) communicates with the payment means, it is possible, due to said independence, to separate the first step from the second and third steps. As a result, an apparently complete transaction may be achieved without the payment means in question being debited. It will be understood that such is undesirable.
U.S. Pat. No. 5,495,098, incorporated by reference in this text, discloses a method in which the identity of the security module of the payment station is used to ensure that a data exchange takes place between the card and one terminal only. The protection of the data exchange between the security module, the station and the card is relatively complicated and requires extensive cryptographic calculations.
Other Prior Art methods are disclosed in e.g. European Patent Applications EP 0,223,213 and EP 0,570,924, but these documents do not offer a solution to the above-mentioned problems.